collapse

Search


User Info

 
 
Welcome, Guest. Please login or register.
Did you miss your activation email?
« previous next »
Pages: [1]

Author Topic: VPN Assigned IP in ISE  (Read 11704 times)

Offline Mikep

  • Cisco Newbie
  • *
  • Posts: 21
  • Reputation: 5
  • Certification: CCNP
VPN Assigned IP in ISE
« on: November 28, 2016, 12:20:36 PM »
Is there a way for ISE to get the assigned IP for a VPN user connecting through anyconnect?

The user can auth without issues, It's just in the live log the IP address field is blank. I would like ISE to know the users IP so that I can apply WSA and Firepower polices based on User to IP mapping.
Logged

Offline Mikep

  • Cisco Newbie
  • *
  • Posts: 21
  • Reputation: 5
  • Certification: CCNP
Re: VPN Assigned IP in ISE
« Reply #1 on: November 28, 2016, 12:27:39 PM »
I figured it out.

Had to add accounting to the anyconnect profile.

Works now :)
Logged

Offline Mikep

  • Cisco Newbie
  • *
  • Posts: 21
  • Reputation: 5
  • Certification: CCNP
Re: VPN Assigned IP in ISE
« Reply #2 on: November 28, 2016, 01:53:20 PM »
So the IP address is showing in the ISE live logs, but the login events are not being sent to WSA and FMC.

I have passiveID setup and if I login to a system with AD that login event is indeed being seen in WSA and FMC.

Shouldn't the VPN logins as well be sent via pxGrid to WSA and FMC?
Logged

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 401
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
  • Certification: CCIE
Re: VPN Assigned IP in ISE
« Reply #3 on: November 30, 2016, 12:15:01 AM »
Glad you figured it out.  :) I believe VPN IP/Username mapping is published to pxGrid. I am pretty sure I had that setup before and FMC can see VPN user. Do you have .1x setup also? If so, do you see user login on FMC after a successful .1x login?
Logged

Offline Mikep

  • Cisco Newbie
  • *
  • Posts: 21
  • Reputation: 5
  • Certification: CCNP
Re: VPN Assigned IP in ISE
« Reply #4 on: December 01, 2016, 07:20:58 AM »
yeah .1x info shows in FMC. Even when I turn the passive ID off.
Logged

Offline Mikep

  • Cisco Newbie
  • *
  • Posts: 21
  • Reputation: 5
  • Certification: CCNP
Re: VPN Assigned IP in ISE
« Reply #5 on: December 01, 2016, 08:36:05 AM »
It seems to be working now. Very Strange.

One interesting note is that it looks like you cannot create access rules based on AD group when using ISE/pxGrid in WSA. It limits to SGT's

So I just needed to edit my policy to add the SGT to the Authorization profile. Works like a charm.

Also setup IP spoofing on the WSA with the reverse WCCP statements on the switch, and FMC shows the actual client IP and not the WSA IP for all web traffic. 

Now to get it into production.  ;D
Logged

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 401
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
  • Certification: CCIE
Re: VPN Assigned IP in ISE
« Reply #6 on: December 01, 2016, 10:45:01 PM »
Sweet.. Glad that worked out.. Looks like you have an interesting setup  :)
Logged
Pages: [1]
« previous next »
 
SimplePortal 2.3.7 © 2008-2024, SimplePortal